Reclassify to Verifiers and Formats

jzheaux · jzheaux · commit fd79dbbe66d5 · 2018-04-18T15:53:07.000-06:00
First, it appears to me that OAuth2 Access Tokens can be expressed in a number of formats. From the JWT spec: JSON Web Token (JWT) is a compact claims format And in the case of an opaque token, the format is "opaque" to us until, perhaps, it is processed. For now, the DSL supports the configuration of JWT and Opaque as formats supported by this resource server instance. Roughly speaking, each format configured implies an additional AuthenticationProvider. In configuring each format, the DSL supports custom ways to process tokens of that format. Second, verification strategies stand independent of the token's original format. Once any claims have actually been made, then they can be verified. At the very least, a token's claims to its own validity are confirmed. For example, a token's iat and exp. This is not configurable. Additionally, there are two additional standard verification steps, decrypting the claims and verifying the attached signature. The DSL, then, supports configuration of these two verification steps, though they will not result in instances of OAuth2AccessTokenVerifier. The DSL also allows for the specification of custom verification on top of basic verification. Issue: spring-projects/spring-security#5226
diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/resourceserver/OAuth2ResourceServerConfigurer.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/resourceserver/OAuth2ResourceServerConfigurer.java
@@ -17,31 +17,138 @@
 
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.oauth2.core.AbstractOAuth2Token;
 import org.springframework.security.oauth2.core.OAuth2TokenVerifier;
+import org.springframework.security.oauth2.jwt.Jwt;
 import org.springframework.security.oauth2.resourceserver.web.BearerTokenResolver;
 
+/**
+ * Example configuration:
+ *
+ * oauth2().resourceServer().accessToken()
+ *     .formats()
+ *         .jwt()
+ *     .verifiers()
+ *         .signature().keys("http://jwk.url")
+ *
+ * Or:
+ *
+ * oauth2().resourceServer().accessToken()
+ *     .formats()
+ *         .jwt().processor(auth0AccessTokenProcessor())
+ *         .opaque().processor(auth0AccessTokenProcessor())
+ *     .verifiers()
+ *          .addVerifier(claims -> {
+ *              if ( claims.get("iss") == null ) {
+ *                  throw new OAuth2AuthenticationException(...);
+ *              }
+ *          })
+ *
+ * @author Josh Cummings
+ */
 public class OAuth2ResourceServerConfigurer<B extends HttpSecurityBuilder<B>> extends
 		AbstractHttpConfigurer<OAuth2ResourceServerConfigurer<B>, B> {
 
+	private AccessTokenFormatsConfigurer accessTokenFormatsConfigurer;
+	private AccessTokenVerifiersConfigurer accessTokenVerifiersConfigurer;
+
 	public OAuth2ResourceServerConfigurer<B> bearerTokenResolver(BearerTokenResolver resolver) {
 		return this;
 	}
 
-	public OAuth2ResourceServerConfigurer<B> accessTokenVerifier(OAuth2TokenVerifier... verifiers) {
-		return this;
+	public AccessTokenConfigurer accessToken(OAuth2TokenVerifier... verifiers) {
+		return new AccessTokenConfigurer();
 	}
 
-	public JwtConfigurer jwt() {
-		return null;
-	}
+	public class AccessTokenConfigurer {
+		public AccessTokenVerifiersConfigurer verifiers() {
+			return new AccessTokenVerifiersConfigurer();
+		}
 
-	public class JwtConfigurer {
-		public JwtConfigurer jwkSetUrl(String location) {
-			return this;
+		public AccessTokenFormatsConfigurer formats() {
+			return new AccessTokenFormatsConfigurer();
 		}
 
 		public OAuth2ResourceServerConfigurer<B> and() {
 			return OAuth2ResourceServerConfigurer.this;
 		}
 	}
+
+	public class AccessTokenVerifiersConfigurer {
+		public SignatureVerificationConfigurer signature() {
+			return new SignatureVerificationConfigurer();
+		}
+
+		public EncryptionVerificationConfigurer encryption() {
+			return new EncryptionVerificationConfigurer();
+		}
+
+		public AccessTokenVerifiersConfigurer addVerifier(OAuth2TokenVerifier verifier) {
+			return this;
+		}
+
+		public AccessTokenConfigurer and() {
+			return null;
+		}
+	}
+
+	public class SignatureVerificationConfigurer {
+		public SignatureVerificationConfigurer keys(String uri) {
+			return this;
+		}
+
+		public AccessTokenVerifiersConfigurer and() {
+			return OAuth2ResourceServerConfigurer.this.accessTokenVerifiersConfigurer;
+		}
+	}
+
+	public class EncryptionVerificationConfigurer {
+		public EncryptionVerificationConfigurer keys(String uri) {
+			return this;
+		}
+
+		public AccessTokenVerifiersConfigurer and() {
+			return OAuth2ResourceServerConfigurer.this.accessTokenVerifiersConfigurer;
+		}
+	}
+
+	public class AccessTokenFormatsConfigurer {
+		public OpaqueAccessTokenFormatConfigurer opaque() {
+			return new OpaqueAccessTokenFormatConfigurer();
+		}
+
+		public JwtAccessTokenFormatConfigurer jwt() {
+			return new JwtAccessTokenFormatConfigurer();
+		}
+
+		public AccessTokenConfigurer and() {
+			return null;
+		}
+	}
+
+	public class OpaqueAccessTokenFormatConfigurer {
+		public OpaqueAccessTokenFormatConfigurer processor
+				(OAuth2AccessTokenProcessor<? extends AbstractOAuth2Token> processor) {
+			return this;
+		}
+
+		public AccessTokenFormatsConfigurer and() {
+			return OAuth2ResourceServerConfigurer.this.accessTokenFormatsConfigurer;
+		}
+	}
+
+	public class JwtAccessTokenFormatConfigurer {
+		public JwtAccessTokenFormatConfigurer processor
+				(OAuth2AccessTokenProcessor<Jwt> processor) {
+			return this;
+		}
+
+		public AccessTokenFormatsConfigurer and() {
+			return OAuth2ResourceServerConfigurer.this.accessTokenFormatsConfigurer;
+		}
+	}
+
+	private interface OAuth2AccessTokenProcessor<T extends AbstractOAuth2Token> {
+		T process(String token);
+	}
 }
